Authentication token safety

Because the API can be used to access, interact with, modify, and delete metadata on Vimeo, there are some best practices developers should follow when working with their authentication tokens.

Avoid sharing your client_secret or access_token in public or over email. Vimeo Staff members who discover access tokens or client secrets in public may revoke those credentials on our backend without notice to the owner.

Generate tokens with only the scopes needed for your application. Omitting unnecessary scopes can help avoid any potential misuse if the token is used by an unwanted party.